diff -u openafs-1.4.7.dfsg1/debian/changelog openafs-1.4.7.dfsg1/debian/changelog --- openafs-1.4.7.dfsg1/debian/changelog +++ openafs-1.4.7.dfsg1/debian/changelog @@ -1,3 +1,14 @@ +openafs (1.4.7.dfsg1-6+lenny1) stable-security; urgency=high + + * Apply upstream security patches from 1.4.9: + - OPENAFS-SA-2009-001: Avoid a potential kernel memory overrun if more + items than requested are returned from an InlineBulk or BulkStatus + message. (CVE-2009-1251) + - OPENAFS-SA-2009-002: Avoid converting negative errors into invalid + kernel memory pointers. (CVE-2009-1250) + + -- Russ Allbery Mon, 06 Apr 2009 15:53:20 -0700 + openafs (1.4.7.dfsg1-6) unstable; urgency=low * Apply upstream patch to free /proc entries in the correct order. diff -u openafs-1.4.7.dfsg1/debian/openafs-client.NEWS openafs-1.4.7.dfsg1/debian/openafs-client.NEWS --- openafs-1.4.7.dfsg1/debian/openafs-client.NEWS +++ openafs-1.4.7.dfsg1/debian/openafs-client.NEWS @@ -1,3 +1,14 @@ +openafs (1.4.7.dfsg1-6+lenny1) unstable; urgency=high + + This release of OpenAFS contains security fixes in the kernel module. + Be sure to also upgrade openafs-modules-source, build a new kernel + module for your system following the instructions in + /usr/share/doc/openafs-client/README.modules.gz, and then either stop + and restart openafs-client or reboot the system to reload the kernel + module. + + -- Russ Allbery Mon, 06 Apr 2009 15:51:14 -0700 + openafs (1.4.2-6) unstable; urgency=medium As of this release of the OpenAFS kernel module, all cells, including only in patch2: unchanged: --- openafs-1.4.7.dfsg1.orig/src/afs/LINUX/osi_vnodeops.c +++ openafs-1.4.7.dfsg1/src/afs/LINUX/osi_vnodeops.c @@ -45,6 +45,10 @@ #define pageoff(pp) pp->offset #endif +#ifndef MAX_ERRNO +#define MAX_ERRNO 1000L +#endif + #if defined(AFS_LINUX26_ENV) #define UnlockPage(pp) unlock_page(pp) #endif @@ -1051,8 +1055,10 @@ #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,2,10) if (code == ENOENT) return ERR_PTR(0); - else + else if ((code >= 0) && (code <= MAX_ERRNO)) return ERR_PTR(-code); + else + return ERR_PTR(-EIO); #else if (code == ENOENT) code = 0; @@ -1396,7 +1402,10 @@ if (code < 0) { dput(basep); - res = ERR_PTR(code); + if (code < -MAX_ERRNO) + res = ERR_PTR(-EIO); + else + res = ERR_PTR(code); } else { name[code] = '\0'; res = lookup_dentry(name, basep, follow); only in patch2: unchanged: --- openafs-1.4.7.dfsg1.orig/src/afs/VNOPS/afs_vnop_lookup.c +++ openafs-1.4.7.dfsg1/src/afs/VNOPS/afs_vnop_lookup.c @@ -538,8 +538,6 @@ int nskip; /* # of slots in the LRU queue to skip */ struct vcache *lruvcp; /* vcache ptr of our goal pos in LRU queue */ struct dcache *dcp; /* chunk containing the dir block */ - char *statMemp; /* status memory block */ - char *cbfMemp; /* callback and fid memory block */ afs_size_t temp; /* temp for holding chunk length, &c. */ struct AFSFid *fidsp; /* file IDs were collecting */ struct AFSCallBack *cbsp; /* call back pointers */ @@ -597,13 +595,11 @@ * one for fids and callbacks, and one for stat info. Well set * up our pointers to the memory from there, too. */ - statMemp = osi_AllocLargeSpace(nentries * sizeof(AFSFetchStatus)); - statsp = (struct AFSFetchStatus *)statMemp; - cbfMemp = - osi_AllocLargeSpace(nentries * - (sizeof(AFSCallBack) + sizeof(AFSFid))); - fidsp = (AFSFid *) cbfMemp; - cbsp = (AFSCallBack *) (cbfMemp + nentries * sizeof(AFSFid)); + statsp = (AFSFetchStatus *) + osi_Alloc(AFSCBMAX * sizeof(AFSFetchStatus)); + fidsp = (AFSFid *) osi_AllocLargeSpace(nentries * sizeof(AFSFid)); + cbsp = (AFSCallBack *) + osi_Alloc(AFSCBMAX * sizeof(AFSCallBack)); /* next, we must iterate over the directory, starting from the specified * cookie offset (dirCookie), and counting out nentries file entries. @@ -1081,7 +1077,7 @@ afs_PutVolume(volp, READ_LOCK); /* If we did the InlineBulk RPC pull out the return code */ - if (inlinebulk) { + if (inlinebulk && code == 0) { if ((&statsp[0])->errorCode) { afs_Analyze(tcp, (&statsp[0])->errorCode, &adp->fid, areqp, AFS_STATS_FS_RPCIDX_BULKSTATUS, SHARED_LOCK, NULL); @@ -1091,8 +1087,9 @@ code = 0; } done2: - osi_FreeLargeSpace(statMemp); - osi_FreeLargeSpace(cbfMemp); + osi_FreeLargeSpace((char *)fidsp); + osi_Free((char *)statsp, AFSCBMAX * sizeof(AFSFetchStatus)); + osi_Free((char *)cbsp, AFSCBMAX * sizeof(AFSCallBack)); return code; } only in patch2: unchanged: --- openafs-1.4.7.dfsg1.orig/src/sys/rmtsysc.c +++ openafs-1.4.7.dfsg1/src/sys/rmtsysc.c @@ -241,8 +241,14 @@ InData.rmtbulk_len = data->in_size; InData.rmtbulk_val = inbuffer; inparam_conversion(cmd, InData.rmtbulk_val, 0); - OutData.rmtbulk_len = data->out_size; - OutData.rmtbulk_val = data->out; + + OutData.rmtbulk_len = MAXBUFFERLEN * sizeof(*OutData.rmtbulk_val); + OutData.rmtbulk_val = malloc(OutData.rmtbulk_len); + if (!OutData.rmtbulk_val) { + free(inbuffer); + return -1; + } + /* We always need to pass absolute pathnames to the remote pioctl since we * lose the current directory value when doing an rpc call. Below we * prepend the current absolute path directory, if the name is relative */ @@ -279,8 +285,15 @@ if (!errorcode) { /* Do the conversions back to the host order; store the results back * on the same buffer */ - outparam_conversion(cmd, OutData.rmtbulk_val, 1); + if (data->out_size < OutData.rmtbulk_len) { + errno = EINVAL; + errorcode = -1; + } else { + memcpy(data->out, OutData.rmtbulk_val, data->out_size); + outparam_conversion(cmd, data->out, 1); + } } + free(OutData.rmtbulk_val); free(inbuffer); return errorcode; }